During a recent penetration test, we evaluated the security of a typical corporate employee notebook. It was to be assessed whether employees with a default corporate user account would be able to gain administrative access and subsequently abuse the system for attacks against a certain high value database system. When evaluating this problem set, the first step is to find ways to bring tools and exploit code on the system. Usually this task requires the bypassing of the malware protection agent of the system. At some point, we thought we figured a way to encode exploits and payloads in a way that would not be detected by the malware protection solution.
But as we soon realized, it wasn’t the encoding which made the malware protection fail but another issue. The installed solution was TrendMicro OfficeScan, a comprehensive endpoint suite for all kinds of endpoint protection mechanisms such as malware protection, hard drive encryption, or DLP integration. The malware protection module was also announced as a “Cloud AntiVirus Solution”. In the concrete case, this means that the analysis of files is not performed on the endpoint itself but on a centralized server (which, from our point of view, would qualify as centralized or server-based AntiVirus but not Cloud AntiVirus… but this discussion is out of scope of this blogpost 😉 ).
Coming back to the initial scenario, the encoding of the exploit code did actually help to bypass the AV, but not in the way we initially thought. The local AV client knows malicious files it has detected before based on their hash values. Files with an unknown hash value are transferred to the centralized analysis server. Referring to the OfficeScan Smart Protection Server Getting Started Guide:
“File reputation technology from Trend Micro checks the reputation of each file against an extensive in-the-cloud database. Since the malware information is stored in the cloud, it is available instantly to all users.”
Obviously different encodings change the hash value of the exploit code, and the AV client does not recognize the file as malicious anymore. Thus it must send the file to the analysis server. We became aware of this fact since we pulled the network cable of the endpoint at some point in time: From then on, no malicious code (that has not been detected before) was detected any more. Hence we were able to execute arbitrary code on the system – just like any malware could do.
To summarize this in one sentence: If someone pulls the network cable of the system, there is no more malware protection in place. Not by running black magic exploit code or abusing extensive user rights… just by pulling the network cable.
Since we were not to perform an extensive malware protection product evaluation, we stopped our research at some point, so at this point we can not yet make any further conclusions. Yet, and even this should be obvious, one of our basic security principles is important again: Carefully select and evaluate the security technology you bring to your environment! The OfficeScan suite is promoted for virtualized client environments, yet not restricted to them. In a virtualized environment, the described malware protection approach might be valid, since the system cannot be accessed without connectivity, and therefore it does not matter if this disables AV protection. But for a typical “local” endpoint system, this approach does not necessarily provide appropriate AV protection. Even though we do not say that it is not possible to design a secure system without AV, in most environments this might lead to severe business risks. Therefore, if you are looking for a suggestion for a new year’s resolution, here we go: “We will not integrate more security technologies without careful evaluation and risk assessment any more” 😉
Have a great weekend,